Bryan Beaudreault created HBASE-26548:
-----------------------------------------
Summary: Investigate mTLS in RPC layer
Key: HBASE-26548
URL: https://issues.apache.org/jira/browse/HBASE-26548
Project: HBase
Issue Type: New Feature
Reporter: Bryan Beaudreault
Current authentication options are heavily based on SASL and Kerberos. For
organizations that don't already deploy Kerberos or other token provider, this
is a heavy lift. Another very common way of authenticating in the industry is
mTLS, which makes use of SSL certifications and can solve both wire encryption
and auth. For those already deploying trusted certificates in their infra, mTLS
may be much easier to integrate.
It isn't necessarily easy to implement this, but I do think we could use
existing Netty SSL support in the NettyRpcClient and NettyRpcServer. I know
it's easy to add SSL to non-blocking IO through a
hadoop.rpc.socket.factory.class.default which returns SSLSockets, but that
doesn't touch on the certification verification at all.
Much more investigation is needed, but logging this due to some interest
encountered on slack.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
